Page MenuHomePhabricator

osm4wiki links return an error page reading "Don't disturb Wikipedia. Thanks" when referrer is not a Wikipedia project.
Open, Needs TriagePublic

Description

Use of osm4wiki links with any non-Wikipedia site as the referrer fail and return an error page rather than the map. This means that users who use osm4wiki links on a non-Wikipedia project (such as Commons), from a browser bookmark, or received by email or IM, will receive the error page.

Steps to reproduce:

1: Copy the link to an OSM entry on osm4wiki such as https://tools.wmflabs.org/osm4wiki/cgi-bin/wiki/wiki-osm.pl?project=en&article=National_Register_of_Historic_Places_listings_in_Hampshire_County%2C_West_Virginia.

2: Paste the link into a new browser tab or window, bookmark the link and use the bookmark, or use it from any site except a Wikipedia.

Expected behavior: The desired OSM map with NRHP locations would be displayed.

Actual behavior: An error page saying "Don't disturb Wikipedia. Thanks." is displayed.

I have confirmed that this is referrer-based by using a referrer spoofer to always send a Wikipedia page as the referrer to osm4wiki. This will result in the map being displayed normally rather than receiving the error page. The content of this error message makes it especially an issue, as it appears to indicate that the user was trying to do something malicious when they are not.

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 29 2019, 2:41 PM

@Seraphimblade: Did @Plenz explicitly agree to work on this? Asking as you set them as assignee.

I can imagine that this is expected behavior. Tools hosted on Toolforge are supposed to serve and support Wikimedia projects, not random websites?

Though if this does not work on/from Wikimedia Commons that sounds like a bug indeed.

Seraphimblade added a comment.EditedApr 29 2019, 3:18 PM

@Aklapper: Plenz is listed as the tool maintainer, so he seemed like the right one. I presume that can be changed if need be?

It's not only that it doesn't work from Commons. It also would not work if, for example, I were planning a trip with other Wikimedia users to photograph NRHP locations, and emailed them the link. When they clicked on it from the email, it would fail and give them that error due to the referrer. Same if I bookmarked it for later reference since then the referrer is null. So it is broken on Commons (and any other non-Wikipedia Wikimedia project), but it's also broken for many other legitimate potential uses.

Regardless, the error message seems overly aggressive. Someone clicking a bookmark is not doing or attempting to do something malicious or disruptive.

Seraphimblade removed Plenz as the assignee of this task.Apr 29 2019, 3:23 PM
Seraphimblade added a subscriber: Plenz.
Plenz added a comment.Apr 29 2019, 9:13 PM

Indeed, IMHO it was not a bug, it was a feature. The reason was an e-mail about a security vulnerability mentioned in T219178 (which I can not read) and I found it a good idea to let my program accept only original links from wikipedia. Well - I did not know that my program is also used from Commons, but nice to hear this :)

OK, I understand that my idea was bad, and today I removed this feature and I hope the program works as expected. Against security risks, my program checks for terms like "fromcharcode" in the URL and displays "Don't disturb Wikipedia" in those cases.

Confirmed working. Thanks to @Plenz for taking a look at it so quickly!